Hi Noah Thanks a lot for your fast answer!
On Montag, 06-Okt-03 at 17:58:10, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: >> Hmmm, so what? Are these problems somehow tied together? Furthermore, >> what is the probability that the system has really been cracked, and >> the logcheck message is not a false positive? I wonder, because it's >> not a server machine, it has no services running, except the dhcp >> client listening on a port. Nothing else. > > It sounds to me, from the symptoms you described, that /var has > somehow been mounted read-only. Check that first. Well, I wished it would be like that, but /var hasn't got its own partition, it gets mounted togehter with all the other stuff except /boot. > You don't have much evidence that it's a security issue at this point. > Logcheck's "active system attack" messages rarely indicate such a > thing. Don't do anything drastic like reinstall the system until > you've got better evidence that you've been cracked. In this case, I > doubt you have. Well, reinstall is the last resort since it always takes hours to get back the normal environment. I hope you've got some more ideas. I'm strictly following all the security updates, and have a light mix of woody and sid packages. Well, I further noticed some error messages from gconf, about not being able to delete some files, because they were not successfuly synced. I am seeing these messages quite often, although yesterday there were quite a lot of them. I've never really researched the topic, but I think it could be related to sleep, and therefore a not perfect flush of the buffers or something. I wonder if this might somehow have affected the logcheck stuff. -- Best wishes, Andi